Securonix SNYPR

snypr is a big data security analytics platform built on hadoop that utilizes securonix machine learning based anomaly detection techniques and threat models to detect sophisticated cyber and insider attacks capabilities this connector provides the following capabilities run activity query get top threats get top violations get top violators list all policies list all users retrieve list of incidents note to get "all violations by policy name", use "run activity query" action with the query index=violation and policyname = \<policyname> and \<additional conditions> asset setup this connector asset requires an url, username and a password to authenticate notes https //documentation securonix com/bundle/securonix cloud user guide/page/content/rest api categories htm additional notes base url or host url must be in the format hostname or ipaddress/snypr while using the retrieve list of incidents action, please note that the parameter tenantname is optional for non mssp and is required to pass for mssp and if needed, check here for documentation https //documentation securonix com/bundle/securonix cloud user guide/page/content/rest api categories htm#retrieve list of incidents configurations securonix snypr authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions run activity query run simple searches from the unified defense siem interface on the activity collection "|" pipe or operator searches are not currently supported endpoint url snypr/ws/spotter/index/search method get input argument name type required description parameters query string required parameters for the run activity query action parameters eventtime from string required parameters for the run activity query action parameters eventtime to string required parameters for the run activity query action parameters tz string optional parameters for the run activity query action parameters prettyjson boolean optional parameters for the run activity query action parameters max number optional this parameter is only available for version 6 2 cu4 sp4 and above parameters queryid string optional this parameter is only available for version 6 2 cu4 sp4 and above input example {"parameters" {"query" "index=activity and resourcegroupname = \\"carbonblackalert 19mayrin\\"","eventtime from" "03/21/2023 10 06 10","eventtime to" "03/25/2023 10 06 10","tz" "utc","prettyjson"\ true,"max" 1000,"queryid" "spotterwebservicee8904c76 b230 4ad7 990f eefd220a22b8"}} output parameter type description status code number http status code of the response reason string response reason phrase totaldocuments number output field totaldocuments events array output field events events timeline by month string output field events timeline by month events rg timezoneoffset string output field events rg timezoneoffset events resourcegroupname string name of the resource events eventid string unique identifier events ipaddress string output field events ipaddress events week string output field events week events year string output field events year events accountresourcekey string output field events accountresourcekey events resourcehostname string name of the resource events sourceprocessname string name of the resource events rg functionality string output field events rg functionality events userid string unique identifier events customfield2 string output field events customfield2 events dayofmonth string output field events dayofmonth events jobid string unique identifier events resourcegroupid string unique identifier events datetime string time value events timeline by hour string output field events timeline by hour events collectiontimestamp string output field events collectiontimestamp events hour string output field events hour events accountname string name of the resource output example {"status code" 200,"response headers" {"date" "thu, 25 jan 2024 00 34 27 gmt","content type" "text/plain","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=31536000 ; includesubdomains","cache control" "private, no store, no cache, must revalidate","x frame options" "deny","pragma" "no cache","x xss protection" "1 ;mode=block","x content type options" "nosniff","content security policy" "frame ancestors 'self' securonix net; default src 'self' secur get top threats get top threats in the specified time period and count of violators for each threat endpoint url snypr/ws/sccwidget/gettopthreats method get input argument name type required description parameters dateunit string required parameters for the get top threats action parameters dateunitvalue number required parameters for the get top threats action parameters offset number required parameters for the get top threats action parameters max number required parameters for the get top threats action input example {"parameters" {"dateunit" "days","dateunitvalue" 90,"offset" 0,"max" 10}} output parameter type description status code number http status code of the response reason string response reason phrase response object output field response response date range array output field response date range response total records number output field response total records response docs array output field response docs response docs threat model id number unique identifier response docs threat nodel name string name of the resource response docs description string output field response docs description response docs criticality string output field response docs criticality response docs no of violator number output field response docs no of violator response docs generation time number time value output example {"status code" 200,"response headers" {"date" "thu, 25 jan 2024 00 34 04 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=31536000 ; includesubdomains","cache control" "private, no store, no cache, must revalidate","x frame options" "deny","pragma" "no cache","x xss protection" "1 ;mode=block","x content type options" "nosniff","content security policy" "frame ancestors 'self' securonix net; default src 'self' get top violations get top violations in the specified time period and count of violators for each violation endpoint url snypr/ws/sccwidget/gettopviolations method get input argument name type required description parameters dateunit string required parameters for the get top violations action parameters dateunitvalue number required parameters for the get top violations action parameters offset number required parameters for the get top violations action parameters max number required parameters for the get top violations action input example {"parameters" {"dateunit" "days","dateunitvalue" 90,"offset" 0,"max" 10}} output parameter type description status code number http status code of the response reason string response reason phrase response object output field response response date range array output field response date range response total records number output field response total records response docs array output field response docs response docs policy id number unique identifier response docs policy name string name of the resource response docs criticality string output field response docs criticality response docs violation entity string output field response docs violation entity response docs policy category string output field response docs policy category response docs threat indicator string output field response docs threat indicator response docs generation time number time value response docs no of violator number output field response docs no of violator response docs description string output field response docs description output example {"status code" 200,"response headers" {"date" "thu, 25 jan 2024 00 33 45 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=31536000 ; includesubdomains","cache control" "private, no store, no cache, must revalidate","x frame options" "deny","pragma" "no cache","x xss protection" "1 ;mode=block","x content type options" "nosniff","content security policy" "frame ancestors 'self' securonix net; default src 'self' get top violators get top violators in the specified time period and risk score of each violator endpoint url snypr/ws/sccwidget/gettopviolators method get input argument name type required description parameters dateunit string required parameters for the get top violators action parameters dateunitvalue number required parameters for the get top violators action parameters offset number required parameters for the get top violators action parameters max number required parameters for the get top violators action input example {"parameters" {"dateunit" "days","dateunitvalue" 90,"offset" 0,"max" 10}} output parameter type description status code number http status code of the response reason string response reason phrase response object output field response response date range array output field response date range response total records number output field response total records response docs array output field response docs response docs name string name of the resource response docs violator entity string output field response docs violator entity response docs risk score number score value response docs generation time number time value response docs department string output field response docs department output example {"status code" 200,"response headers" {"date" "thu, 25 jan 2024 00 33 27 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=31536000 ; includesubdomains","cache control" "private, no store, no cache, must revalidate","x frame options" "deny","pragma" "no cache","x xss protection" "1 ;mode=block","x content type options" "nosniff","content security policy" "frame ancestors 'self' securonix net; default src 'self' list all policies list of policies (aka rules) configured in snypr to detect violators, violations and threats response includes all policies available in the system endpoint url snypr/ws/policy/getallpolicies method get output parameter type description status code number http status code of the response reason string response reason phrase policies object output field policies policies policy array output field policies policy policies policy createdby string output field policies policy createdby policies policy createdon string output field policies policy createdon policies policy criticality string output field policies policy criticality policies policy description string output field policies policy description policies policy hql object output field policies policy hql policies policy id string unique identifier policies policy name string name of the resource output example {"status code" 200,"response headers" {"date" "thu, 25 jan 2024 00 32 56 gmt","content type" "application/xml","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=31536000 ; includesubdomains","cache control" "private, no store, no cache, must revalidate","x frame options" "deny","pragma" "no cache","x xss protection" "1 ;mode=block","x content type options" "nosniff","content security policy" "frame ancestors 'self' securonix net; default src 'self' list all users list all users in the user collection endpoint url snypr/ws/spotter/index/search?query=index=users method get output parameter type description status code number http status code of the response reason string response reason phrase totaldocuments number output field totaldocuments events array output field events events country string output field events country events userriskscore string score value events firstname string name of the resource events employeetype string type of the resource events manageremployeeid string unique identifier events masked string output field events masked events usertimezoneoffset string output field events usertimezoneoffset events createdate string date value events title string output field events title events employeeid string unique identifier events userid string unique identifier events lastname string name of the resource events division string output field events division events tenantid string unique identifier events usercriticality string output field events usercriticality events managerlastname string name of the resource events workemail string output field events workemail events tenantname string name of the resource events location string output field events location events fullname string name of the resource events department string output field events department output example {"status code" 200,"response headers" {"date" "thu, 25 jan 2024 00 29 53 gmt","content type" "text/plain","transfer encoding" "chunked","connection" "keep alive","strict transport security" "max age=31536000 ; includesubdomains","cache control" "private, no store, no cache, must revalidate","x frame options" "deny","pragma" "no cache","x xss protection" "1 ;mode=block","x content type options" "nosniff","content security policy" "frame ancestors 'self' securonix net; default src 'self' secur retrieve list of incidents retrieve list of incidents endpoint url snypr/ws/incident/get method get input argument name type required description parameters type string required enter the type as list parameters from string required enter the start time (epoch) in ms parameters to string required enter the end time in ms parameters offset number optional this parameter is optional and used for pagination parameters status string optional enter the status of the incident this parameter is optional parameters rangetype string required parameters for the retrieve list of incidents action parameters allowchildcases boolean optional enter true to receive the list of child cases associated with a parent case in the response otherwise, enter false this parameter is optional parameters max number optional enter the maximum number of records the api will display this is a numeral value and it is optional parameters sort string optional parameters for the retrieve list of incidents action parameters order string optional parameters for the retrieve list of incidents action parameters tenantname string optional the name of the tenant from where the incidents will be retrieved headers object required http headers for the request headers accept string required http headers for the request input example {"parameters" {"type" "list","from" "1559161800000","to" "1559806119000","offset" 0,"status" "open","rangetype" "opened","allowchildcases"\ true,"max" 100,"sort" "desc","order" "desc","tenantname" "securonix tenant name"},"headers" {"accept" "application/vnd snypr app v3 0+json"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value result object result of the operation result data object response data result data totalincidents number response data result data incidentitems array response data result data incidentitems violatortext string response data result data incidentitems lastupdatedate number response data result data incidentitems violatorid string response data result data incidentitems incidenttype string response data result data incidentitems incidentid string response data result data incidentitems incidentstatus string response data result data incidentitems riskscore number response data result data incidentitems assigneduser string response data result data incidentitems priority string response data result data incidentitems reason array response data result data incidentitems violatorsubtext string response data result data incidentitems entity string response data result data incidentitems workflowname string response data result data incidentitems url string response data result data incidentitems iswhitelisted boolean response data result data incidentitems watchlisted boolean response data result data incidentitems tenantinfo object response data result data incidentitems tenantinfo tenantid number response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 19 feb 2023 20 37 23 gmt"},"reason" "ok","json body" {"status" "ok","result" {"data" {}}}} response headers header description example cache control directives for caching mechanisms private, no store, no cache, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 140 content security policy http response header content security policy frame ancestors 'self' securonix net; default src 'self' securonix net; object src 'self' securonix net data blob ; script src 'unsafe inline' 'unsafe eval' 'self' securonix net https //edge fullstory com https //rs fullstory com http //iph zoominsoftware io/widget js data blob ; style src 'self' securonix net https //fonts googleapis com 'unsafe inline'; font src 'self' securonix net https //fonts gstatic com 'unsafe inline'; connect src 'self' securonix net https //edge fullstory com https //rs fullstory com https //securonix be prod zoominsoftware io http //documentation be securonix com wss\ //saaspoc5t16expo securonix net 443 data blob ; img src 'self' securonix net https //rs fullstory com data https ; child src 'self' securonix net blob ; content type the media type of the resource application/xml date the date and time at which the message was originated thu, 25 jan 2024 00 33 27 gmt pragma http response header pragma no cache set cookie http response header set cookie jsessionid=610ace2e3babf8b2a161b50770a84799; path=/snypr; secure; httponly strict transport security http response header strict transport security max age=31536000 ; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options deny x xss protection http response header x xss protection 1 ;mode=block